On 6/8/06, James M Snell <[EMAIL PROTECTED]> wrote:
> This is not a security consideration, it is a protocol specification. > And we just agreed not to specify the auth protocol. > Works for me, however, from what I read in the authentication thread, what seems to have been decided was not to specify a particular authentication scheme. Requiring the use of the 401 response and the WWW-Authenticate header is a separate issue.
Yeah, but it's irrelevant. According to 2616, servers can send back 404 if they don't want to let you know why your request has failed. Careful observers of reality will note that servers can respond with whatever they want, so our goal should be to clearly specify the messages. Secondly, WWW-Authenticate is required for 401 responses. So... the messages are clear for this aspect of the protocol, so the text in question adds absolutely no value. -- Robert Sayre "I would have written a shorter letter, but I did not have the time."
